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Abstract 

We consider a natural generalization of an abelian Hidden Subgroup Problem where 
the subgroups and their cosets correspond to graphs of linear functions over a finite field 
F with d elements. The hidden functions of the generalized problem are not restricted 
to be linear but can also be m-variate polynomial functions of total degree n>2. 

The problem of identifying hidden m-variate polynomials of degree less or equal 
to n for fixed n and m is hard on a classical computer since Q(y/d) black-box queries 
are required to guarantee a constant success probability. In contrast, we present a 
quantum algorithm that correctly identifies such hidden polynomials for all but a finite 
number of values of d with constant probability and that has a running time that is 
only polylogarithmic in d. 

1 Introduction 

Shor's algorithm for factoring integers and calculating discrete logarithms [21] is one 
of the most important and well known example of an exponential speed-up based on 
quantum computation. This algorithm as well as other fast quantum algorithms for 
number-theoretical problems [111 [T21 1201 116) essentially rely on the efficient solution 
of an abelian Hidden Subgroup Problem (HSP) 3j. This has naturally raised the 
questions of what interesting problems can be reduced to the non-abelian HSP and 
of whether the general non-abelian HSP can also be solved efficiently on a quantum 
computer. 

It is known that an efficient quantum algorithm for the dihedral HSP would give rise 
to efficient quantum algorithms for certain lattice problems |19j . and that an efficient 
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quantum algorithm for the symmetric group would give rise to an efficient quantum 
algorithm for the graph isomorphism problem [9j. Despite the fact that efficient algo- 
rithms have been developed for several non-abelian HSP's (see, for example, Ref. [15] 
and the references therein), the HSP over the dihedral group and the symmetric group 
have withstood all attempts so far. Moreover, there is evidence that the non-abelian 
HSP might be hard for some groups such as the symmetric group |14| . 

Another idea to generalize abelian HSP is to consider Hidden Shift Problems [HE] or 
problems with hidden non- linear structures [5l 113} [22] . In the latter context, we define 
and analyze a black-box problem that is based on polynomial functions of degree n > 2 
and that can be reduced to an instance of the yet unsolved Hidden Polynomial Problem 
(HPP) [5]. Although our problem can be seen as a special case we refer to it as HPP 
in the following. The subgroups and the cosets of the HSP are generalized to graphs of 
polynomial multivariate functions going through the origin and to translated function 
graphs, respectively. 

To solve this new problem, we use the "pretty good measurement" framework, 
which was introduced in Ref. [2] to obtain efficient quantum algorithms for the HSP 
over some semidirect product groups. First, we reduce the HPP to a quantum state 
identification problem. Second, we design a measurement scheme for distinguishing 
the states. Third, we relate the success probability and implementation to a classical 
algebro-geometric problem. The analysis of this classical problem leads us to an efficient 
quantum algorithm for the black-box problem. 

This paper is organized as follows. In Section 2 we define the Hidden Polynomial 
Problem and show that it suffices to solve the univariate case on a quantum computer. 
In Section 3 we reduce this case to a state distinguishing problem and present a mea- 
surement scheme to solve it. In Section 4, we prove that the measurement scheme 
can be implemented efficiently and its success probability is bounded from below by 
a constant, which is independent of d. To do this, we analyze the properties of an 
algebro-geometric problem related to the black-box problem. In Section 5 we conclude 
and discuss possible objectives for further research. 

2 Hidden Polynomial Problem 

The Hidden Polynomial Problem is a natural generalization of the abelian HSP over 
groups of the special form G := F m+1 . The hidden subgroup is defined by the m 
generators (0, . . . , 1, . . . , 0, qi) G F m+1 where the 1 is in the ith component and qi is in 
F. In this case, the hidden subgroup Hq and its cosets Hq^ z for z E F are given by 

Hq := {(x, Q{x)) : x £ ¥ m } and Hq jZ := {(x, Q(x) + z) : x £ ¥ m } 

where Q is the unknown linear polynomial Q(Xi, . . . , X m ) = q\X\ + . . . + q m X m . For 
the HPP we also consider polynomials of higher degree. 

Definition 2.1. Let F be a finite field with d elements and characteristic p and 
let Q(X\, . . . , X m ) £ ¥[Xi, . . . , X m ] be an arbitrary polynomial with total degree 
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deg(Q) < n and vanishing constant terrrfl- Furthermore, let B : F m+1 —>■ F be a 
black-box function with 

B(ri, ...,r m ,s) := ir(s - Q(n, . . . ,r m )) 

where 7r is an unknown (but fixed) arbitrary permutation of the elements of F. The 
Hidden Polynomial Problem is to identify the polynomial Q if only the black-box 
function B is given. 

Remark 2.2 (General Definition of HPP). The general HPP, which is defined in Ref. [5], 
can be equivalently reformulated as follows: The black-box function h : F^ — > F is 
given by h(r\, . . . , rj) := n(P(ri, . . . , re)), where a is an unknown (but fixed) arbitrary 
permutation of F and P(X\, . . . , Xg) is the hidden polynomial. Hence, the black-boxes 
B from Def. 12.11 occur as special cases when the polynomials P are restricted to have 
the form 

P(X h ...,X m ,Y) :=Y-Q(X 1 ,...,X m ). 
This restriction makes it possible to obtain an efficient quantum algorithm. 

Remark 2.3 (Classical Query Complexity). To derive a lower bound on the classical 
query complexity, we only consider the case of univariate polynomials of degree 1. 
Due to the permutation ir the function values B(r,s) themselves are useless. We 
need to obtain at least one collision, i.e., two different points (r,s) and (f, s) with 
B(r,s) = B(r,s), to determine the slope of the hidden line. Assume we have queried 
the black-box B at N different points and have not seen any collision. Then we can 
exclude at most (^) = 0(N 2 ) different slopes. Since there are d different slopes and all 
are equally likely, we have to make VL(\fd) queries to determine the slope with constant 
success probability. 

We say that a quantum algorithm for this problem is efficient if its running time is 
polylogarithmic in the field size d for a fixed number m of variables and a fixed maxi- 
mum total degree n. We present such an efficient algorithm by first classically reducing 
the m-variate problem to the univariate problem and then by solving the univariate on 
a quantum computer. The reduction is described in the following lemma. For simplic- 
ity, we initially assume that the univariate case can be solved with probability 1 and 
show then how to deal with the other cases. 

Lemma 2.4. Assume that we can solve the univariate problem of degree n or less with 
success probability 1. Then, there is a simple recursive interpolation scheme that solves 
the m-variate problem by solving of at most 

Km = /- 1 + n m ~ 2 + + 1 (1) 

univariate problems. 
Proof. First, rewrite Q as 

Q(X±, . . . , X m ) = Q a (X m ) ■ X" 1 • . . . • X^^ 1 

a 

1 A polynomial with constant term could also be considered in the following discussions. However, the 
constant term is randomized by our algorithm and cannot be determined as a consequence. 
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where a = («i, . . . , a m —%) is a vector with the exponents of the variables X\, . . . , X m _\. 
For the recursion we assume that we have an efficient algorithm for polynomials with 
m — 1 variables or less. Then we solve the m-variate problem with the following two 
steps. 

• Step 1: Set the variables Xi, . . . ,X m _i to 0. We obtain 

<5(o, . . . ,o, x m ) = Q{Q,...fi){x m ) , 

which is a univariate polynomial. It has no constant term because Q also has no 
constant term. This is a univariate problem and can be solved by assumption. 

• Step 2: For n different fixed tj G F we consideid the polynomials 

Q(X±, . . . , X m -l,tj) = Q a {tj) ■ X" 1 ■ . . . ■ X°^_^ 

a 

where Q a (tj) is a constant coefficient. By assumption we can determine all Q a (tj) 
for a / (0, . . . , 0). Denote by |a| = ■ aj the degree of the monomial defined by 
a. Since for \a\ > 1 the polynomial Q a (X m ) has degree n — \a\ and since we know 
n function values, we can determine Q a efficiently with Lagrange interpolation 

ma- 

Let K m be the total number of univariate problems with degree n or less that we have 
to solve in the recursive scheme. We have k% = 1 and K m = k± + n ■ K m -\. This leads 
to the expression in Eq. ([T]). □ 

We have assumed that the univariate case can be solved with success probability 
1. However, our quantum algorithm fails to correctly identify the hidden univariate 
polynomial with some nonzero (but constant) probability pf. We can reduce the failure 
probability of the quantum algorithm for the univariate case to Pf/K m by repeating it 
a certain number of times, which is independent of d. Then, by the union bound we 
see that the failure probability of the overall algorithm for the m-variate problem is at 
most pf. 



3 Distinguishing Polynomial Function States 

Most quantum algorithms for HSP's are based on the standard approach, which reduces 
black-box problems to state distinguishing problems. We apply this approach to the 
Hidden Polynomial Problem as follows: 

• Evaluate the black-box function on an equally weighted superposition of all 
(r, s) 6 F 2 . The resulting state is 

- ^ |r) (8) |s) ® \ir(s - Q(r))) 

r,s€¥ 

2 Note that the degree of each variable in the polynomials is w.l.o.g. smaller than the size d of F after 
reducing exponents modulo d — 1, which is the order of the multiplicative group F x . 
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• Measure and discard the third register. Assume we have obtained the result 
tt(z) with z := s — Q(r). Then the state on the first and second register is 
PQ,z ■= \<Pq,z){4>q,z\ where 

\<j> QiZ ) ;=-Lj2\ r )®\Q(r)+z) 

with the unknown polynomial Q, and z is uniformly at random. The correspond- 
ing density matrix is 

pq : = ^J^I0o,*X0g,*l- ( 2 ) 

We refer to the states pq as polynomial function states. We have to distinguish these 
states in order to solve the black-box problem. 

3.1 Structure of Polynomial Function States 

To obtain a compact expressions for polynomial function states pq we introduce the 
shift operator 

S A ■= J^|A + x)(x| 
for A G F, which directly leads to 

p Q = ^2 Yl \ b )( c \® S Q(b)-Q(c)- 

fe,cGF 

Now we use the fact that the shift operators S*a for all A € F can be diagonalized 
simultaneously with the Fourier transform 

DFTp :=-L £ u^\x)(y\ 

x,y£F 

over F, where Tr : F —* F p is the trace map of the field extension F/F p and iv p := 
e 2m/p - g a p r i m itive complex pth root of unity. The Fourier transform DFTp can be 
approximated to within error e in time polynomial in log(|F|) and log(l/e) [7j. For 
simplicity, we assume that it can be implemented perfectly (as the error can be made 
exponentially small with polynomial resources only). We have 

DFT F • S A ■ DFTp = Y,^ v(Ax) \x)(x\ . 

Consequently, the density matrices have the block diagonal form 
p Q := (Id ® DFTf) • pq ■ (Id <8> DFTp) 

= ^ E x([Q(b)-Q(c)]x)\b)(c\0\x)(x\ 

b,c,xe¥ 
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in the Fourier basis where we set xi z ) := ^p 1 for all z E F and where 1^ denotes the 
identity matrix of size d. 

By repeating the standard approach k times for the same black-box function B, we 
obtain the density matrix f>Q k . After rearranging the registers we can write 



PQ 



J* E x(E^)-3fe)]^) \b)(c\®\x)(x\ 

b,c,xG¥ k \j=l / 



E x I E 

b,c,x£¥ k \j=l 

i E x(X> 

b,c,x& k \i=l 



E* 



- 4) 



^(6j-4)xj 

3=1 



Xj I |6)(c| 8) |a:)(x| 
\b)(c\ <g> |x)(x| 



= tfk E x(<g,(*n(6)-*n(c))a;>)|6)(c|®|aj)(a 

6,c,zgF fe 

where q, $ n (b), and <3? n (c) are defined as follows: 

i Q2i ■ ■ ■ ■> Qn) £ IF™ is the column vector whose entries are the coefficients 
of the hidden polynomial Q(X) = Y^h=i 
• & n (b) is the n x k matrix 





n A; 
i=l 3=1 


/ 6i 


6 2 ... 
61 ••• 


b k \ 

bl 




V &? 


°2 


bl ) 


denotes the map F n 


xF"^F with (v 


u/) = 


UlWl + - 


■■v n w 



3.2 Algebro-Geometric Problem 

We now show how to construct an orthogonal measurement for distinguishing the states 
Pq k by applying and suitably modifying the "pretty good measurement" techniques 
developed in [H [21 [3] . Both the success probability and the efficient implementation 
of our measurement are closely related to the following algebro-geometric problem: 
Consider the problem to determine all b E ¥ k for given iGF* and w E F n such that 
$ n (b) ■ x = w, i.e., 



/ h b 2 
bl bl 



bk \ ( xx \ 

X2 



bl 



( W\ \ 

w 2 



(3) 



\ ¥{ bl ••• bl) \x k ) \w n J 
We denote the set of solutions to these polynomial equations and its cardinality by 
SI := {b E ¥ k : $„(&) • x = w} and if w := \S%\, 
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respectively. We also define the quantum states \S^} to be the equally weighted super- 
position of all solutions 

: = 4* E i & > 

if rj^j > and jS 1 ^} to be the zero vector otherwise. Using this notation we can write 
the state p~Q k as 

PQ k = ^kH E x((q, W ) - {q,v))^X\S^)(S x v \^\x)(x\. (4) 

3.3 Idealized Measurement for Identifying the States 

We first consider an idealized situation to explain the intuition behind the measurement 
that we will use in the following sections to solve the HPP efficiently. Assume that 
there is an efficient implementation of the unitary transformation U x that depends on 
x and that satisfies the equation 

U x \Sl) = \w) (5) 

for all (x, w) with rfa > 0. Then, there is an efficient measurement for identifying the 
polynomial states with success probability 

isr E ( E <m) • ( 6 ) 



d 2k+ 

Ig F fe \we¥ n / 

For the proof, we observe that the block structure of the states pq k in Eq. @ 
implies that we can measure the second register in the computational basis without 
any loss of information. The probability of obtaining a particular x is 



i.e., we have the uniform distribution, and the resulting reduced state is 

PQ-=lk E x((9^)-(g^>)v / «l^)(^l- W 



We now apply U x to the state p~Q of Eq. ([7]) and obtain 

u xP X Q U l = ^k E x({Q,w) ~ (q^))^VwVv\ w )( v \ 



w,vEV n 

After having applied the transform U x , we measure in the Fourier basis, i.e., we carry 
out the orthogonal measurement with respect to the states 

l^'> := ^ E x(WM)\w) (8) 
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where q' ranges over all tuples in F n . Simple computations show that the probability 
for the correct identification of the state fig is 




The probability of correctly identifying Q is obtained by averaging, i.e., summing the 
probabilities in Eq. Q over all x and multiplying the sum by l/d k . It is equal to the 
the expression in Eq. ([6]). This completes the proof. 

The problem with this idealized measurement is that there are pairs (x,w) where 
rf^ is in the order of d. It is not clear how to implement the unitary U x in Eq. ([5]) 
efficiently in these cases. In the next subsection we consider an approximate version V x 
of U x . This approximation guarantees that U X \S^) = V X \S^) is satisfied for pairs (x, w) 
with 1 < < D where D is some constant. We show that V x can be implemented 
efficiently and that the resulting approximate measurement is good enough to identify 
the states with constant success probability. 



3.4 Approximate Measurement 

In this and the following sections we set k = n, i.e., the number k of copies equals the 
maximum degree n of the hidden polynomials. Furthermore, let D be some positive 
integer that depends on n but not on d, let X goo a C F n be some subset, and for 
x G ^good let Wg QoA be some subset of {w G ¥ n | 1 < rf^ < D}. The number D and the 
sets X gQO( i and W"g 0od will be determined later. We define the subset 

£|ood := {be¥ n \<S> n (b)-x = wfoi some weW* ood } (10) 

for all x e ^Lgood- 

Lemma 3.1. Assume that there are efficient classical methods for testing membership 
in X goo d and l^g 0od and for enumerating the elements of for given x G X goo d and 
w £ Wg Qod . Then there is an efficient approximate measurement for identifying the 
states with success probability bounded from below by 

■ l^goodl • iW'goodl 2 , (11) 
where \W good \ := mm x£Xgood I W^good 1 2 ■ 

Remark 3.2. Note that the lower bound is a constant if |^ goo d| = Q{d n ) and |Wg 00 d| = 
Q(d n ). We analyze the algebro-geometric problem and show that all the above prop- 
erties are satisfied and the cardinalities of the sets are sufficiently large. 

Proof. Let us assume that we have obtained x G X g0 od i n the first measurement step 
as described in Section [331 The probability of this event is |^ g0 odl/^ n - We now discuss 
the approximate transformation V x and the resulting success probability. Let P goo d be 
the projector onto the subspace spanned by \b) for all b G B^ ood . Clearly, the orthogonal 
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measurement defined by P goo d can be carried out efficiently since membership in Wg Qod 
can be tested efficiently. The probability to be in the "good" subspace is 



I good I 



Tr ^ -Pgood Pq -Pgood) 

and the resulting reduced density operator is 

PUgood := E x((q,w)-(q,v))v^\S*)(S:\. (12) 

I good I w ve w x , 

' good 

In the following we use the fact that for x £ -Xg 00( j and all w £ W^ ood the cardinality 
rfc is bounded from above by D and that the elements of the sets can be computed 
efficiently. In this case we have an efficiently computable bijection between S* and 
the set {(w,j) : j = 0, . . . , rf^ — 1}. This bijection is obtained by sorting the elements 
of S^j according to the lexicographic order on F n and associating to each b £ the 
unique j G {0, . . . , rfc — 1} corresponding to its position in S^. 

We now show how to implement the transformation V x efficiently, which satisfies 

V x \S%) = \w). 
• Implement a transformation with 

1 6) ® |0) ® |0) ^ \w) ® \j) ® |^) (13) 

for all 6 £ Pg 00( j- To make it unitary we can simply map all b B^ ood onto some 
vectors that are orthogonal (e.g., by simply flipping some additional qubit saying 
that they are bad). Note that b and x determine j and w uniquely and vice versa. 
Furthermore, we can compute w and j efficiently since rf^ is bounded from above 
by D. Consequently, this unitary acts on the states \S^} as follows 

1 1 v ™ 

-SrEl&>® l°> ® l°> » ~7w\ w ) ® E b> ® l^) ( 14 ) 



• Apply the unitary 

E © v-^-i) ® + E ^ ® 

on the second and third register. This implements the embedded Fourier trans- 
form Fg of size £ controlled by the second register in order to map the superposition 
of all \ j) with j E {0, ...,£- 1} to |0). The resulting state is \w) ® |0) <g> |t/*). 

• Uncompute \rj^) in the third register with the help of w and x. This leads to the 
state \w) <g> |0) (8) |0) 
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We apply V x to the state of Eq. (|12p and obtain 

V xPQ, good^ = | ox I E x(<9,w) - V^XMH • 

I good I u-vgw* 

' good 

We now measure in the Fourier basis, i.e., we carry out the orthogonal measurement 
with respect to the states \ipQ') defined in Eq. ([8]). Analogously to the ideal situation 
we obtain that the probability for the correct detection of the state Pq is 

(^Q\V x p x Q , good V^ Q ) = ^r^H f £ v^l • (is) 

1 good I ^ e w| DOd / 

The overall success probability is 

i E ^(^I^PQ.goodK^Q) 

The first factor 1/cP is the probability that we obtain a specific x. The right most 
expression is clearly at least the expression in Eq. (fTTI) . □ 



E E 



(16) 



good 



good 



4 Analysis of the Algebro- Geometric Problem 

In this section we show that the cardinalities of the sets X gQO( i and W^ ood in Lemma I3TT1 
are sufficiently large in the case k = n for all F that satisfy certain constraints on 
the characteristic. This guarantees that the success probability of the approximate 
measurement in Section T3.4I is bounded from below by a constant that does not depend 
on the field size. 

Although our classical algebro-geometric problem appears to be very similar to 
the average-case problem in Ref. [2] for the HSP over semidirect product groups, the 
elementary arguments of Lemma 5 in Ref. [2\ cannot be applied in a straightforward 
way to prove that the cardinalities of the sets X goo d and W^ ood in Lemma 13.11 are 
sufficiently large. More precisely, in the case of the HPP we obtain the first two 
moments 

E[^] = d k ~ n and (17) 
E[(^) 2 ] = E[^] + ^^^<5[(^(6)-^(c))x = (0,0,...,0) T ] (18) 

for the rf^. Since we have b ^ c, there is an index f with by ^ c,/. It is clear that for 
all bj, Cj, and Xj with j ^ f we have at most one xy such that the condition in the 
square bracket is satisfied but it is not obvious when this xy exists. In contrast to the 
situation in Ref. [2J, this argument only leads to a weak upper bound 

E[(^) 2 ] ^Ef^ + ^^-l)^- 1 (19) 



10 



on the second moment. Eq. (|17p implies that the number of copies should be at least n. 
In this case, however, the upper bound on the second moment is Q(d n ~ 1 ). Therefore, 
we cannot use the probabilistic arguments of Ref. [2] to prove that X goo d and W^ ood 
have the desired properties. 

In the following, we choose an approach that does not rely on any probabilistic 
arguments. We present two different proofs based on algebro-geometric techniques 
that also show that the approximative measurement can be implemented efficiently. 
Both proofs differ slightly in their scope: The first analysis applies if the characteristic 
of F is larger than k = n and the second if a certain polynomial with integer coefficients 
does not vanish when considered modulo the characteristic. Hence, the second analysis 
can be used in some cases when the first analysis cannot be applied and vice versa. 

The notions and results of algebra and algebraic geometry that are used in the 
proofs can be found in Ref. [T7j as well as in Refs. [H [TOl [18] . 



4.1 First Analysis 



For the analysis of the implementation of V x and the success probability of our algo- 
rithm for k = n we define the n polynomials /, G F[Xi, . . . , X n , B\, . . . , B n ] as 



/ h \ 

h 

\ fn J 



( B 1 B 2 



Bl 



B\ 



\ Bl Bl 



B n \ 

B 2 n 

Bl ) 



( Xx \ 



where the product of the matrix and the vector corresponds to the left-hand side of 
Eq. ([3]). Furthermore, let / be the n-tuple / := (/i, . . . , f n ), which defines a map from 
F n x F n to F n with f(x, b) = (fi(x, b),..., f n (x, b)). Using this notation, can be 
expressed as 

SI = {b G F n : f{x, b) = w} with w G F n . 

For a fixed x the tuple / defines a map from F n to F n and the sets are the preimages 
of w G F n under this map. 

Let F denote the algebraic closure of F. We also view / as a map from F to F . 
For given x, uu G F , we refer to the subvariety {b G F | f(x, b) = w} of F as the fiber 
of f(x, •) over w. In the proposition below, we choose the sets X g00( ± and W^ ood such 
that the fibers of f(x, •) over w are zero-dimensional. This implies that the numbers 
if^ are bounded from above by some constant D for all x G ^ goo d and w G W^ ood since 
the sets are equal to the intersections of the fibers with ¥ n . 

Proposition 4.1. Assume that the characteristic p of F is strictly larger than n, let 
-^good := (F x ) n , and for x G X g00( j set 



^good ' 



{w G F™ I the fiber of f(x, •) over w is zero-dimensional and rf^ > 1}. 



Then the requirements of Lemma 13.11 are satisfied and we have |^ goo d| = Q{d r ' 

|W5„„J = n{d n ). 



and 
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Proof. We find the solutions of the system f(x,b) = w efficiently as follows: We 
precompute generic reduced Grobner bases with Buchberger's algorithm for the lexi- 
cographic order |1Q(, [6] . i.e., we treat the coefficients of the polynomials in the variables 
hi as rational expressions in the variables Xi and Whenever Buchberger's algorithm 
requires division by a rational expression E in the Xi and W{, we distinguish between 
the case where E remains nonzero upon specializing x and w and the case where E 
becomes zero upon specialization. This precomputation yields a finite decision tree 
whose leaves correspond to all possible reduced Grobner bases. In each leaf we can 
decide whether the solution variety of the system f(x, b) = w is zero-dimensional, and 
if so we can compute an upper bound on its cardinality. Choose D to be the maximum 
over all these upper bounds. 

On input (F, x, w) we now find the corresponding Grobner basis by evaluating a 
bounded number of rational expressions that also only needs a bounded number of 
field operations. From the Grobner basis we can read off whether the set of solutions, 
i.e., the fiber of f(x, •) over w is zero-dimensional. If this is the case, the set of all 
solutions b £ ¥ n can be computed by iteratively solving a bounded number of univariate 
equations, which again can be done efficiently. By construction, this set has cardinality 
at most D. 

We now show that |Wjf ood | = £l(d n ) for all x £ X g00( j. Fix x £ A" g00( j. On the 
open set U in ¥ n where all coordinates bi are distinct, the differential dip of the map 
ip : U — > ¥ sending b to f(x,b) has full rank everywhere. Indeed, at b the differential 
of this map sends c 6 F to 



/ 1 



\ 



V 



1 

h 



n) \ b\ 



1 

K 
bl 

un—l 





1 




C n J 







Now the first matrix is invertible because the characteristic of F is larger than n, and 
the second matrix is invertible because the bi are distinct. Hence if d\i,(p maps c to 
then all CjXj are zero, and as x £ (F x ) n we find c = 0, i.e., d\bf is injective. 

This implies that the fibers of cp over w are all zero-dimensionalU Their cardinalities 
are bounded from above by D. Let U denote the intersection of U with F n . The upper 
bound implies that the size of the image ip(U) is at least |<^(C/)| > \U\/D = Q(d n ). 
Clearly, the fibers of /(x, •) over w are zero-dimensional for all w £ tp(U) that do 
not lie in the image of the complement of U under the map f(x,-). This image is 
certainly contained in some subvariety I x C F defined over F of dimension n — 1 since 
dim(F \U) = n — 1. Hence, we can apply Schwartz-Zippel's theorem (Prop. 98 in 
Ref. [23J) and conclude that the cardinality of the intersection I x of I x with F n is at 
most /iff --1 . Here k is a uniform upper bound on the degree of the equation defining I x , 



3 This is an elementary statement from algebraic geometry: If some fiber has positive dimension, then it 
contains a point b where the tangent space to the fiber has positive dimension. This tangent space is then 
mapped to zero by d\b<p, a contradiction to the injectivity of this linear map. For a concise introduction to 
the interplay between dimension and tangent spaces we refer to [6l chapter 9, paragraph 6]. 
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which can again be found by a generic Grobner basis computation without specifying 
x. This completes the proof that for each x G X goo d the number of w such that the 
fiber of f(x, •) over w is zero-dimensional is £l(d n ). 

□ 

With Lemma 13. II the following corollary is a direct consequence of Prop. |4~T1 



Corollary 4.2. For p > n the approximative measurement of Sec. \3.4\ can be imple- 
mented efficiently. Furthermore, for the success probability we have 

x£¥ n \w£F n I x£(F x )" \w<E<p(U)\I x 



> ' (rf -i)-(^- 1 )-(''-" +1 )- M f-V 

- d 3ny ' \ D 

2 



= l/D z -0(l/d), 
which leads to a lower bound that does not depend on the field size d. 



4.2 Second Analysis 

The following general proposition allows us to make statements about the size of the 
preimages of a general morphism / : A m x A n — > A n over an affine space A indepen- 
dently of the underlying field F. This morphism should be thought of as a family of 
morphisms from the n-dimensional space A n to itself, parameterized by A m . 

Proposition 4.3. Consider a morphism / : A m x A n — > A n over Z, that is, / is given 
by an n-tuple / = (/i, . . . , f n ) of polynomials in Z[X, B], where X = (X±, . . . , X m ) 
and B = (B\, . . . , B n ) are the coordinates on A m and on the first copy of A n , respec- 
tively. Suppose that the Jacobian determinant det(dfi/dBj)ij is a non-zero element 
of Z[X, B]. Then there exists a real number 7 with < 7 < 1 and a non-zero polyno- 
mial g G Z,[X] such that for all finite fields F and all x G ¥ m with g(x) 7^ when g is 
considered as a polynomial over F we have |/({x} x F n )| > 7|F| n . 

Proof. By the condition on the Jacobian determinant /1, ■••,/« G Q(X,B) are al- 
gebraically independent over Q(X)@ As Q(X,B) has transcendence de gree n over 
Q(X), every B{ is algebraic over Q(X, fx, . . . , f n ), i.e., there exist non-zero polyno- 
mials Pi,...,P n G Z[X,W,T\ such that Pi{X,f,Bi) = G Z[X,B]. View Pi as a 
polynomial of degree di G N in T with coefficients from Z[X, W], and let Qi G Z[X, W] 
be the (non-zero) coefficient of T di in p. Then h := Qi(X,W) is a non-zero 



4 This condition on / says that generic morphisms in this family are dominant. When we work over 
algebraically closed fields F this means that the image is dense in F" . The proposition states that over finite 
fields the generic morphism still hits a large subset of F". 

5 If P £ Q(X)[Wi, . . . , W n ] is of minimal degree with P(f) = P(/ x , ...,/„) = 0, then differentiation with 
respect to Bj and the chain rules gives J2i '§W~U)§b~ ~ ^> so that {-§^-{f))i is in the row kernel of the 



Jacobian matrix, and non-zero by minimality of deg(P) — whence det(^g L ) 



0. 
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polynomial in 7i[X,W]. By the algebraic independence of the /j, h(X,f(X,B)) is a 
non-zero polynomial in Z[X, B]; viewing this as a polynomial of degree e in B with 
coefficients from Z[X], let g G Z[X] be any non-zero coefficient of a monomial -B a of 
degree e. 

Now let F be any finite field and let x G F m be such that g(x) ^ 0. Then q := 
h(x, f(x, B)) is a non-zero polynomial in ¥[B] of degree e. For any b G F n outside the 
zero set of q we have Qi(x, f(x,b)) / so that Pi(x, f(x,b),T) G F[T] has degree di, 
for all i = l,...,n. Again by construction, any b' G F n satisfying f(x,b') = f(x,b) 
satisfies the system of polynomial equations Pi(x, f(x, b), b^) = for i = 1, . . . , n, which 
has at most D := Y\ i di solutions. We conclude that the fiber of f(x, •) over f(x, b) has 
a cardinality of at most D, and therefore 

i /(l , )xn i> iim^ 

The Schwartz-Zippel theorem applied to g shows that the right-hand side of this in- 
equality is at least (|F| n — elF)"^ 1 )/!). From this the existence of 7 follows. □ 

Remark 4.4. The polynomials Pi,g, and h can all be computed effectively, e.g., using 
Grobner basis methods \1Q\ [6] . In general, the running time will depend very strongly 
on the particular form of the morphism /, but it is independent of the field size d, 
which is sufficient for our purposes. It is possible that a more refined analysis taking 
into account the structure of / could lead to an improved performance for certain types 
of morphisms. 

Remark 4.5. We emphasize that we cannot rule out that the polynomial g G 7*[X] is 
zero when considered as a polynomial over F. This can only happen if all coefficients 
of g are multiples of the characteristic p of F. For this reason, we have to exclude all 
finite fields with these characteristics. 

Proposition 4.6. Let the fi be as in Subsection 14.11 and g as in Prop. 14.31 Assume 
that the polynomial g is non-zero when considered over the finite field F. Furthermore, 
define the set 

^good := {x G ¥ n I g(x) ? 0} 

and for x G X gOQ( ± the set 

W* ood := {w G ¥ n I h(x,w) + and rf w > 1}, 

where h G Z[X, W] is the polynomial from the proof of Prop. 14.31 Furthermore, take 
the constant D as in the proof. Then Lemma 13.11 can be applied. In particular, the 
approximative measurement of Sec. 13.41 can be implemented efficiently and its success 
probability is bounded from below by a positive and non-zero constant independent of 
d. 

Proof. In our application of Prop. 14.31 we have m = n and the Jacobian determinant 
det(dfi/dBj) is non-zero as after specializing all X{ to 1 it is a non-zero scalar times the 
Vandermonde determinant det(-B*~ This shows that we have a non-zero Jacobian 
matrix. If the image of g in ¥[X] is non-zero then by the Schwartz-Zippel theorem 
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at least |F| n — deg(g) ■ |F| n_1 of the elements x G ¥ m lie in X good , hence we have 
l^goodl ^ 0{d n ). By the proof of Prop. 14.31 f° r all x G X good the set -B| ood from 
Eq. (|10p contains 0(d n ) elements b € ¥ n with (7(6) 7^ 0. Since for these b the fiber of 
f(x,-) over f(x,b) contains at most D elements, we also have 0{d n ) elements in W good . 
With Rem. [3T21 the lower bound for the success probability follows. 

The membership in X goo d can be computed efficiently because we only have to 
evaluate g{x). Furthermore, for given x G X g00( j and w £ ¥ n the membership of w in 
W? ood can be checked efficiently: By computing the zeros of the univariate polynomials 
Pi[x, w, T) in F we find the possible values for each of the 6«, and then we need only to 
determine^ those combinations that are mapped to w. This also allows us to compute 

efficiently for x G X g00( j and w G W^ ood . □ 

Using these results, we show that the success probability of the approximate mea- 
surement is bounded from below by a constant for n = 2 and fields of characteristic 
p = 2. Recall that the first analysis cannot be applied in these cases since the charac- 
teristic is not strictly greater than the degree. 

Example 4.7. We consider the case n = 2 and find the two polynomials 

P 1 (X 1 ,X 2 ,W 1 ,W 2 ,T) := (-X 1 X 2 -Xl)T 2 + (2W 2 X 1 )T + (W 1 X 2 -W 2 2 ) 
P 2 (X U X 2 , W u W 2 ,T) := (-XiX 2 - Xl)T 2 + (2W 2 X 2 )T + {W X X X - W 2 2 ) 

with the leading terms 

Ql(X 1 ,X 2 ,W 1 ,W 2 ) := -X X X 2 -X\ 
Q 2 {X U X 2 ,W X ,W 2 ) := -X X X 2 -X\. 

Therefore, we have 

h(X u X 2 , W 1} W 2 ) = X 1 X 2 (X 1 + X 2 ) 2 , 

i.e., the polynomial h G Z[X, W] is of degree zero in W and we have 

g(X l ,X 2 )=X l X 2 (X l +X 2 f . 

Hence, for the maximum degree n = 2 of the hidden functions we find polynomials Pi 
and P 2 where x G F 2 with g(x) 7^ exists for all finite fields F with |F| > 3. 



5 Conclusion and Outlook 

We have shown that certain instances of the hidden polynomial problem that are hard 
on classical computers can be solved efficiently on a quantum computer for a fixed total 
degree n and a fixed number m of indeterminates provided that the characteristic of 
the underlying field meets certain constraints. 

6 This can be done more efficiently by the replacement of the Pi with a triangular system that can 
used to find the elements of S^, consecutively. 
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The extension of our results to arbitrary characteristics p of the field F, to more 
general algebraic structures, e.g., rings with Fourier transforms, and the extension to 
a broader class of functions such as rational functions are possible objectives of future 
research. Additionally, it would be important to find other polynomial black-boxes 
with efficient quantum algorithms and to explore if interesting real-life problems can 
be reduced efficiently to such black-box problems. 
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